UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > Multi-factor authentication

Multi-factor authentication

This restriction requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). Examples include Google Authenticator and LastPass Authenticator. TOTP are widely accepted and are more secure than other options such as SMS text based authentication.

UserLock MFA can be enabled for any user, group or OU in your Domain for all logon, unlock and reconnections to interactive sessions.. Choose granular settings to define your MFA policy by the type of operating system (Workstation or Server), the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days.) There is also an option to help with the onboarding process to allow users to skip the MFA configuration for a defined number of days.

MFA messages displayed to the end user are customizable and you can enable an "Ask for help" button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and / or popup help requests to UserLock administrators responsible for implementing MFA.

In case an end user can’t log on, one-click admin actions are available in the UserLock console to temporarily disable MFA or to reset MFA key for a specific user.

In addition, ad-hoc reports allow you to see the evolution over time of the use of MFA in your environment: logon for which MFA was used, suspicious logons for which MFA has been canceled, skip reasons…

An MFA dashboard has been added in the UserLock Console to as a central place for all of these new features.

A use case page about UserLock MFA is available here.

How MFA works

When the user registers a TOTP-supporting device, a unique shared key is created. Both the device and the server can generate a time-based one-time password by processing that key along with the current time. By convention, each TOTP is good for 30 seconds. A user will log in using their regular password, then enter the current one-time password from their device.


  • UserLock service version 10.0 and higher
  • Windows Vista and higher or Windows Server 2008 and higher
  • Only compatible with Desktop agents version 10.0 and higher
  • Available for Interactive sessions only
  • An authentication application must be installed on the end user smartphone
  • Automatic time settings on the UserLock server and end-user smartphones. If the time is set manually, passcodes generated by the UserLock server and end-user smartphones can be out of sync and result in login errors.

Enable MFA gradually for users, groups or OU’s:

You can select users, groups, or organizational units for which you want to enable MFA. We recommend that you choose an implementation plan that allows for gradual user onboarding.

For example, enable MFA for an Active Directory group “HR”:

Fill the MFA code in the field in the dialog box

When enabling MFA for new users, consider informing them about how they will be impacted. (see the Onboarding for End Users specific section).


MFA for VPN sessions

In order to activate MFA for VPN sessions , please refer to the following advanced Use case: How to apply MFA for VPN.

Alternative MFA Methods

There is an option to allow or force users to configure a second MFA method in the event their first method is not available. For example, a user who uses a USB token can choose TOTP with an authentication application as a backup. You can access this option by going to the advanced settings by pressing F7 in the UserLock console, and changing the setting "EnableMFAFallBack" and selecting Disabled, Enabled or Force.

MFA for IIS sessions

In order to activate MFA for IIS sessions , please refer to the following Use case: How to apply MFA for IIS.


In order to activate MFA for SSO sessions , please refer to the following advanced Use case: How to apply MFA for SSO.

Unlock / Reconnect Advanced Setting

By default, all UserLock restrictions (Including MFA) are applied to logon, unlock and reconnection events. If you do not want MFA to be requested for users unlocking or reconnecting to a session, go to the advanced settings by pressing F7 in the UserLock console, and change the setting "ApplyRestrictionsonUnlock" to False. This setting will apply to all UserLock restrictions.


MFA successful feature

If the MFA code is correctly entered but another UserLock restriction refuses a connection, we cannot see the event that an MFA code has been correctly entered in the UserLock MFA reports (we can only see this only in the logs of the UserLock service).

MFA feature on Backup UserLock server

There is no MFA dashboard on Backup UserLock servers.

MFA on the web UserLock console

It is not possible to administer UserLock MFA via the UserLock web console.